[AZ-491] Cycle 3 batch 2: consolidate JWT test-mint helpers into TestSupport

AZ-491 (3 SP): eliminate the cycle-2 duplicate of JWT-minting logic
that existed in both SatelliteProvider.Tests/TestUtilities/
JwtTokenFactory.cs (unit-side) and SatelliteProvider.IntegrationTests/
JwtTestHelpers.cs (integration-side), where the same Expires <
NotBefore bug needed parallel fixes in commits f64d0d7 + 11b7074.

Option A chosen: new SatelliteProvider.TestSupport class library
(no test framework) holds the canonical JwtTokenFactory.Create /
CreateExpired / TamperSignature. Both Tests and IntegrationTests
consume it via ProjectReference; production projects (Api, Common,
DataAccess, Services.*) cannot depend on it. The notBefore-shift
workaround is preserved with an inline regression-prevention comment
back-referencing the cycle-2 fix commits.

SatelliteProvider.IntegrationTests/JwtTestHelpers.cs is stripped to
runner-only concerns: ResolveSecretOrThrow, AttachDefaultAuthorization,
and the DefaultSubject = "integration-tests" constant. Call sites in
Program.cs, JwtIntegrationTests.cs, and UavUploadTests.cs (10 sites)
switched to JwtTokenFactory.* with JwtTestHelpers.DefaultSubject
explicitly passed for the runner subject - behavior parity preserved.

Dockerfile for IntegrationTests gets the new TestSupport csproj
in its pre-restore COPY layer. Api Dockerfile unchanged (TestSupport
is NOT a production dependency).

A new code-review SKILL.md Phase 6 checklist row flags near-identical
helper logic across test projects as a Medium / Maintainability
finding with explicit cycle-2 retro back-reference, so this whole
pattern stops at one occurrence.

module-layout.md adds a TestSupport Shared/Cross-Cutting entry
documenting the production-isolation invariant. tests_unit.md +
tests_integration.md updated to describe the consolidated layout.
sln updated.

Test-suite gate (AC-2 + AC-3) deferred to Step 16 Final Test Run
per implement-skill convention. Per-batch review verdict:
PASS_WITH_WARNINGS with 1 Low (pre-existing 7.0.3 version pin
preserved verbatim from cycle-2 IntegrationTests csproj for parity;
not blocking; deferred bump).

Co-authored-by: Cursor <cursoragent@cursor.com>

SatelliteProvider.TestSupport/JwtTokenFactory.cs

@@ -0,0 +1,82 @@
+using System.IdentityModel.Tokens.Jwt;
+using System.Security.Claims;
+using System.Text;
+using Microsoft.IdentityModel.Tokens;
+
+namespace SatelliteProvider.TestSupport;
+
+public static class JwtTokenFactory
+{
+    public const string DefaultSubject = "test-user";
+
+    public static string Create(
+        string secret,
+        string subject = DefaultSubject,
+        TimeSpan? lifetime = null,
+        IEnumerable<Claim>? extraClaims = null,
+        string algorithm = SecurityAlgorithms.HmacSha256)
+    {
+        ArgumentNullException.ThrowIfNull(secret);
+
+        var keyBytes = Encoding.UTF8.GetBytes(secret);
+        var signingKey = new SymmetricSecurityKey(keyBytes);
+        var credentials = new SigningCredentials(signingKey, algorithm);
+
+        var now = DateTime.UtcNow;
+        var expires = now.Add(lifetime ?? TimeSpan.FromHours(1));
+        // JwtSecurityToken rejects Expires <= NotBefore. For negative
+        // lifetimes (expired-token test fixture) shift NotBefore behind
+        // Expires so the constructor accepts the token and lifetime
+        // validation can fire downstream. DO NOT remove this branch —
+        // see cycle-2 commits f64d0d7 + 11b7074 (LESSONS.md L-testing).
+        var notBefore = expires <= now ? expires.AddMinutes(-5) : now;
+
+        var claims = new List<Claim>
+        {
+            new(JwtRegisteredClaimNames.Sub, subject),
+            new(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString("N"))
+        };
+
+        if (extraClaims is not null)
+        {
+            claims.AddRange(extraClaims);
+        }
+
+        var token = new JwtSecurityToken(
+            issuer: null,
+            audience: null,
+            claims: claims,
+            notBefore: notBefore,
+            expires: expires,
+            signingCredentials: credentials);
+
+        return new JwtSecurityTokenHandler().WriteToken(token);
+    }
+
+    public static string CreateExpired(string secret, string subject = DefaultSubject)
+    {
+        return Create(secret, subject, lifetime: TimeSpan.FromMinutes(-5));
+    }
+
+    public static string TamperSignature(string token)
+    {
+        ArgumentException.ThrowIfNullOrEmpty(token);
+
+        var parts = token.Split('.');
+        if (parts.Length != 3)
+        {
+            throw new ArgumentException("JWT must have three dot-separated parts.", nameof(token));
+        }
+
+        var signature = parts[2];
+        if (signature.Length == 0)
+        {
+            throw new ArgumentException("JWT signature segment is empty.", nameof(token));
+        }
+
+        var firstChar = signature[0];
+        var replacement = firstChar == 'A' ? 'B' : 'A';
+        parts[2] = replacement + signature[1..];
+        return string.Join('.', parts);
+    }
+}

SatelliteProvider.TestSupport/SatelliteProvider.TestSupport.csproj

@@ -0,0 +1,15 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <PropertyGroup>
+    <TargetFramework>net8.0</TargetFramework>
+    <ImplicitUsings>enable</ImplicitUsings>
+    <Nullable>enable</Nullable>
+    <IsPackable>false</IsPackable>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <PackageReference Include="Microsoft.IdentityModel.Tokens" Version="7.0.3" />
+    <PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="7.0.3" />
+  </ItemGroup>
+
+</Project>